When the WannaCry malware came out, it had two major functions: it was a worm, so it spread from computer to computer automatically, and it was ransomware.

The fee it demanded was typically $300, converted into Bitcoin (BTC) and sent to one of several bitcoin addresses.

Bitcoin is sort-of anonymous: in particular, a bitcoin address doesn’t include your name, or an account number, or any other PII (personally identifiable information).

But the amount of money attached to a bitcoin address is a matter of public record – the Bitcoin transaction ledger, or blockchain, is public, and tells you the sending address, the receiving address and the amount of each transaction.

In other words, once a bitcoin address is connected to a specific event, such as a ransomware outbreak, anyone can track how much money is coming in and going out, even though the account holder is unknown.

Sophos Home

To the likely surprise of the crooks, most WannaCry victims refused to pay, so that the crooks’ bitcoin wallets were plump but not bulging, topping out at about $150,000 by the end of the malware outbreak.

After the malware died down, the crooks left those bitcoins alone, perhaps fearing the attention that withdrawals from the tainted wallets might attract.

Until… a Twitter account that was keeping an eye on the WannaCry revenue reported a series of withdrawals leaving the balance at $0.

We don’t know, and we might never find out the who or why if the withdrawals are successfully laundered.

In the case of bitcoin this is typically achieved using a so-called “tumbler” service.

For a fee, tumblers shunt bitcoins through a random sequence of accounts, rather like Tor shunts your network trafic through a random set of computers to disguise what’s really going on.

Criminals use them because, if law enforcement can link a wallet known to have been involved in a crime to another action online that reveals a sliver of the owner’s PII, then they have a chance of unmasking the crooks.

Journalist Patrick O’Neill of CyberScoop is reporting that rather than being tumbled, the ill-gotten bitcoins have been converted into another cryptocurrency, Monero, on the ShapeShift.io exchange.

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

3 comments on “WannaCry crooks cash out their ransom”

I think it’s misleading to say the Bitcoin blockchain has to be public in order for everyone to verify the Bitcoin transactions. The transparency of the bitcoin ledger was simply a decision made by the developers. Look at Monero for instance, public ledger with built in privacy.